Early access open now — First 500 teams get Growth plan free for 3 months. Claim your spot →
Private beta · 500+ developers on the waitlist

The CAPTCHA
is over.

HumanKey detects bots with 120+ behavioral signals — invisibly. No puzzles, no friction, no abandonment. Silent trust verification in under 80ms.

See how it works
Only 247 spots remaining in private beta

No credit card  ·  15-min setup  ·  Cancel any time  ·  First 10k verifications free

humankey · live threat monitor
99.7%
Bot detection accuracy
<80ms
p99 decision latency
120+
Behavioral signals analyzed
0
User-visible challenges
GDPR Compliant
No PII Stored
SOC 2 Ready
CCPA Compliant
99.99% Uptime SLA
Privacy by Design
Teams on the waitlist from
The problem

CAPTCHAs are broken.
For everyone except the bots.

Modern bots solve reCAPTCHA with over 92% accuracy. Meanwhile your real users abandon at record rates.

STAT / 01
40%
Form abandonment when a CAPTCHA appears — up to 64% on mobile. Every puzzle is a checkout you won't complete.
STAT / 02
92%
reCAPTCHA v2 solve rate for modern bot services using ML vision models. The friction falls on your real users.
STAT / 03
3rd
reCAPTCHA sends your users' data to Google — a third-party profiling system embedded in your trust layer.
How it works

Silent by design.
Certain by intelligence.

Three invisible layers between your form and every bot — without touching user experience.

1
Passive signal collection
The SDK (under 8KB) collects 120+ behavioral signals: mouse dynamics, scroll entropy, keystroke timing, touch pressure, device fingerprint — all encrypted before transmission.
2
Edge scoring in <80ms
Signals hit our 30-PoP global edge. The ML engine compares behavior against per-domain baselines — patterns your actual users exhibit that bots cannot replicate.
3
Server-side verification
Call /v1/verify on your backend. Receive a trust score, risk label, and action recommendation.
signal · analysis · live
trust score0.97
HUMAN — allow request
Capabilities

Everything you need.
Nothing you don't.

Adaptive per-domain model
Continuously learns what normal behavior looks like on your specific site, making attacks virtually impossible to replicate at scale.
<80ms p99 latency
30-PoP global edge network ensures sub-80ms verification anywhere on earth, without slowing your application at all.
Privacy-first architecture
No PII ever stored. Signals processed on-edge and discarded immediately. GDPR, CCPA, and nDPR compliant by design.
Bot taxonomy intelligence
Identifies not just if a bot, but which kind: credential stuffers, scraper networks, click farms, DDoS bots, AI-powered solvers.
Developer-first SDK
Open-source client SDK for React, Vue, Next.js, vanilla JS. Express, Django, Rails packages. Integration in under 15 minutes.
Real-time threat dashboard
Live threat map, per-action analytics, configurable rule builder. Set thresholds per action with full audit log retention.
Comparison

Not all bot protection
is equal.

CapabilityreCAPTCHA v3CF TurnstilehCaptchaHumanKey
User friction Med Low High Zero
Behavioral signals~40~30~25120+
Decision latency (p99)150–300ms100–200ms200–400ms<80ms
GDPR / Privacy-first → Google → CF Partial On-edge
Adaptive per-site ML
Bot taxonomy
Open-source SDK
Transparent pricing
Integration

From zero to
protected in minutes.

Drop in the SDK, wrap your form, call verify on your backend. Full protection without a single UX change.

1Install via npm or CDN
2Wrap your form with <HumanKey>
3Verify the signed token server-side
React
Next.js
Vue
Node.js
Python
Go
// npm i @humankey/react
import { HumanKey } from '@humankey/react'

export function LoginForm() {
  return (
    <HumanKey siteKey="hk_live_...">
      <form onSubmit={handleSubmit}>
        {/* your form — unchanged */}
      </form>
    </HumanKey>
  )
}
Early feedback

What beta testers
are saying.

We dropped reCAPTCHA v3 last year after bots kept passing and our users kept failing. HumanKey is exactly the architecture we wished existed.
MR
Marcus R.
CTO, Devflow — B2B SaaS
Our checkout abandonment dropped 18% in week one. The integration took 12 minutes. I keep expecting to see a challenge appear — it never does.
SL
Sophie L.
Head of Engineering, Stacklane
GDPR compliance was killing us with reCAPTCHA. HumanKey processes everything at the edge and stores nothing. Our DPO approved it in 24 hours.
AK
Arjun K.
Lead Dev, Orion Finance — Fintech
Pricing

Simple, predictable pricing.
Scale without surprises.

Pay for verified sessions, not for features.

14-day free trial
No credit card required
Cancel any time
Setup in 15 minutes
Annual discount 20%
Free
$0/mo
10,000 verifications/month
1 domain
Core behavioral detection
Basic dashboard (7-day logs)
Starter
$29/mo
100,000 verifications/month
3 domains
Webhooks & alerts
30-day log retention
Most popular
Growth
$99/mo
500,000 verifications/month
10 domains
Custom score rules
Advanced analytics
Slack & PagerDuty
Scale
$299/mo
2,000,000 verifications/month
Unlimited domains
SLA 99.99%
SSO / SAML

Annual plans save 20% · Enterprise & on-premise available

FAQ

Questions we get
all the time.

What happens if HumanKey is unsure whether a user is human?
HumanKey returns a continuous trust score from 0 to 1. For borderline cases you decide the action via the rule builder: allow, show a lightweight step-up challenge, or block. Fewer than 0.3% of real users ever see any friction.
Can sophisticated bots bypass HumanKey by mimicking human behavior?
The per-domain adaptive baseline is HumanKey's core moat. Generating a convincing baseline requires actual prior exposure to your specific site. Generic behavioral mimicry fails because the model learns what YOUR users do specifically — not what humans do in general.
How is this different from Cloudflare Turnstile?
Turnstile is rule-based and tied to Cloudflare's network signals (IP reputation, ASN, TLS fingerprint). No behavioral layer, no per-site learning. HumanKey analyzes 120+ client-side behavioral signals, builds a domain-specific model, stores zero PII, and works on any infrastructure.
Does HumanKey comply with GDPR and CCPA?
Yes. No PII is ever collected or stored. All processing happens on-edge and signals are discarded after scoring. We never build cross-site profiles. A Data Processing Agreement (DPA) is included in all paid plans.
When will the beta launch and what does early access include?
Rolling out private beta in order of the waitlist, with public launch in 30 days. Early access members get: Growth plan free for 3 months, direct access to the founding team on Slack, input on the roadmap, and a locked-in early-adopter price for life.
Early access

Stop punishing
your real users.

Join the waitlist. First 500 teams get Growth plan free for 3 months. 15-minute setup, no credit card required.

M
S
A
J
K
500+ developers already on the waitlist

No spam. No credit card. You'll receive an invite when your slot is ready.